As described in the OpenShift documentation, the IP address assigned to an OpenShift Pod is only accessible from within the cluster network. You can use the BIG-IP Controller for OpenShift as a router to expose Services to external traffic.

These are the default names used for the virtual servers. You can set custom names for HTTP and HTTPS virtual servers using the route-http-vserver and route-https-vserver configuration parameters, respectively.

apiVersion:extensions/v1beta1kind:Deploymentmetadata:name:k8s-bigip-ctlrnamespace:kube-systemspec:replicas:1template:metadata:name:k8s-bigip-ctlrlabels:app:k8s-bigip-ctlrspec:# Name of the Service Account bound to a Cluster Role with the required# permissionsserviceAccountName:bigip-ctlrcontainers:-name:k8s-bigip-ctlrimage:"f5networks/k8s-bigip-ctlr:1.4.0"env:-name:BIGIP_USERNAMEvalueFrom:secretKeyRef:# Replace with the name of the Secret containing your login# credentialsname:bigip-loginkey:username-name:BIGIP_PASSWORDvalueFrom:secretKeyRef:# Replace with the name of the Secret containing your login# credentialsname:bigip-loginkey:passwordcommand:["/app/bin/k8s-bigip-ctlr"]args:["--bigip-username=$(BIGIP_USERNAME)","--bigip-password=$(BIGIP_PASSWORD)",# Replace with the IP address or hostname of your BIG-IP device"--bigip-url=10.190.24.171",# Replace with the name of the BIG-IP partition you want to manage"--bigip-partition=openshift","--pool-member-type=cluster",# Replace with the path to the BIG-IP VXLAN connected to the# OpenShift HostSubnet"--openshift-sdn-name=/Common/openshift_vxlan",# Enables use of a BIG-IP device as an OpenShift Router"--manage-routes=true",# Assign an IP address to the BIG-IP virtual server# Be sure to use an IP address from the HostSubnet to which the# BIG-IP device connects"--route-vserver-addr=1.2.3.4",# OPTIONAL: Provide an "f5type" label you want the BIG-IP Controller# to watch for. This information should be defined in a Route# Resource (for example, "f5type: App1")"--route-label=App1"]imagePullSecrets:-name:f5-docker-images-name:bigip-login

apiVersion:v1kind:Routemetadata:labels:name:myServicename:myService-route-edgenamespace:defaultannotations:# Specify a supported BIG-IP load balancing modevirtual-server.f5.com/balance:least-connections-member# Provide the name of an existing BIG-IP client SSL profilevirtual-server.f5.com/clientssl:/Common/client-ssl# Provide the name of an existing BIG-IP server SSL profilevirtual-server.f5.com/serverssl:/Common/server-sslspec:host:mysite.example.compath:"/myApp"port:targetPort:443tls:certificate:|-----BEGINCERTIFICATE-----[...]-----ENDCERTIFICATE-----key:|-----BEGINPRIVATEKEY-----[...]-----ENDPRIVATEKEY-----caCertificate:|-----BEGINCERTIFICATE-----[...]-----ENDCERTIFICATE-----termination:edgeinsecureEdgeTerminationPolicy:Allowto:kind:Servicename:myService

apiVersion:v1kind:Routemetadata:labels:name:myServicename:myService-route-passthroughnamespace:defaultannotations:# Specify a supported BIG-IP load balancing modevirtual-server.f5.com/balance:least-connections-member# Provide the name of an existing BIG-IP client SSL profilevirtual-server.f5.com/clientssl:/Common/client-ssl# Provide the name of an existing BIG-IP server SSL profilevirtual-server.f5.com/serverssl:/Common/server-sslspec:host:mysite.example.compath:"/myApp"port:targetPort:443tls:termination:passthroughto:kind:Servicename:myService

apiVersion:v1kind:Routemetadata:labels:name:myServicename:myService-route-reencryptnamespace:defaultannotations:virtual-server.f5.com/balance:round-robin# Provide the name of an existing BIG-IP client SSL profilevirtual-server.f5.com/clientssl:/Common/client-ssl# Provide the name of an existing BIG-IP server SSL profilevirtual-server.f5.com/serverssl:/Common/server-ssl# Set to True to validate the server-side SSL certificate of# re-encrypt terminated routes.virtual-server.f5.com/secure-serverssl:Truespec:host:mysite.example.compath:"/myApp"port:targetPort:httpstls:certificate:|-----BEGINCERTIFICATE-----[...]-----ENDCERTIFICATE-----key:|-----BEGINCERTIFICATE-----[...]-----ENDCERTIFICATE-----destinationCACertificate:|-----BEGINCERTIFICATE-----[...]-----ENDCERTIFICATE-----termination:reencryptto:kind:Servicename:myServiceweight:100

apiVersion:v1kind:Routemetadata:name:route-unsecuredannotations:# Specify a supported BIG-IP load balancing modevirtual-server.f5.com/balance:fastest-node# Provide the name of an existing BIG-IP client SSL profilevirtual-server.f5.com/clientssl:/Common/client-ssl# Provide the name of an existing BIG-IP server SSL profilevirtual-server.f5.com/serverssl:/Common/server-sslvirtual-server.f5.com/health:|[{"path":"mysite.example.com/app1","send":"HTTP GET /health/app1","interval":5,"timeout":10}]spec:host:mysite.example.compath:"/app1"to:kind:Servicename:myService1

By default, the Controller creates custom BIG-IP SSL Profiles using the certificates and keys defined in the Route resource.
You can also use an existing BIG-IP SSL profile to secure traffic for a Route.

Each SSL profile applies to one (1) individual Route. In addition, the Controller creates one client ssl
and one server ssl profile for the https virtual server, called “default-client-ssl” and “default-server-ssl”.
These are the default profiles used for SNI.